Matrix
Matrix or Malta is a ransomware that runs on Microsoft Windows. It was discovered by Brad Duncan. It is aimed at Russian-speaking users. Behavior While Matrix is running, it is very chatty with the Command & Control servers. In each stage of the encryption process, Matrix connects back to the C2 server and issues an update as to how far along in the process it is. Like Spora, Matrix will also upload a list of file extension and amount of files per extension that were encrypted. It is not known if Matrix also changes its ransom demand based on the types of files uploaded. Matrix performs the follow behavior on the infected computer: *Deletes Shadow Volume Copies so that the victim's cannot use them to recover files. *Executes bcdedit.exe /set {default} recoveryenabled no in order to prevent the victim from going into recovery mode. *Executes bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures to further prevent access to recovery options. Payload Transmission Matrix is distributed using the RIG exploit via the EITest campaign. It is also distributed through email spam and malicious attachments, fake updates, repackaged and infected installers. Infection Matrix will hide a folder and then create a shortcut with the same name. It will then make a copy of the ransomware executable and save it as desktop.ini in the original, but now hidden, folder. The full command of this infected shortcut is: %SystemRoot%\system32\cmd.exe /C explorer.exe "Documents" & type "Documents\desktop.ini" > "%TEMP%\OSw4Ptym.exe" && "%TEMP%\OSw4Ptym.exe" Using the above example, when a user tries to open the Documents folder, the following steps will be executed: #Use explorer.exe to launch the hidden Documents folder so that the user can see their files as normal and everything appears to be working correctly. #Copy the Documents folder's desktop.ini file, which is actually the ransomware executable, to %Temp%\OSw4Ptym.exe. #Execute the %Temp%\OSw4Ptym.exe file. #Matrix will now infect the new computer, or if its running on an already infected computer, check for new files to encrypt. This method allows Matrix to spread to new computers via both network shares and removable drives. It then drops a ransom note which saids the following: All your files have been encrypted! All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.) Following violations were detected: Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse! To unlock your files you have to pay the penalty! You have only 96 hours to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible! Each 12 hours the payment size will be automatically increased by 100$! You must pay the penalty through the Bitcoin Wallet. To get your unique key and unlock files, you should send the following code: victim_id to our agent e-mails: redtablet9643@yahoo.com or decodedecode@tutanota.com You will recieve all necessary instructions! Hurry up or you will be arrested!!! Category:Assembly Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan